Windows Entra IDs can be bypassed worryingly easily - here's what we know

News
By published

Researchers find a way to work around FIDO-based authentication

Visual representation of a passkey on a computer chip
(Image credit: Shutterstock/ ArtemisDiana)
  • Experts warn FIDO is not supported on certain clients when accessing Entra ID
  • This triggers a fallback login mechanism that can be picked up
  • Mitigations should be put in place, researchers say

FIDO-based authenticator apps are considered one of the strongest practical defenses against phishing and credential theft, but judging by Proofpoint’s latest research, it is not without its weaknesses.

The company's researchers say they have found a way to force a target to abandon FIDO-based authentication for a weaker login method which can be picked up in transit.

That way, despite being protected by industry-standard defenses, victims can still end up losing access to key accounts.

Missing security features

The “weakness” in this scenario is that not all browsers support FIDO. Safari on Windows, for example, is not compatible with FIDO-based authentication in Microsoft Entra ID, and when a user with such a setup tries logging in, they are offered an alternative - an SMS-delivered one-time password, email, or an OAuth consent prompt.

All of these can then be picked up via an Adversary-in-the-Middle attack (AitM), relayed to the attackers, and used to log into the account.

"This seemingly insignificant gap in functionality can be leveraged by attackers," Proofpoint said in its report.

"A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure."

So far, Proofpoint says there is no evidence that this method is being abused in the wild, and speculates that threat actors still rather target accounts without multi-factor authentication (MFA) in the first place.

However, as more and more businesses deploy this anti-phishing technique, working around FIDO-based authentication might catch on.

To minimize the risk, businesses should turn off alternative authentication methods for key accounts, or at least turning on additional checks when an alternative is triggered.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.